We have spent significant time and resource in building robust security practices. We know that network outages are bad, a compromise to our users’ sensitive data is even worse. Here are some highlights. If you’d like more information, we’d be happy to arrange a call with someone on your team.

Always encrypted data

Your sensitive data is encrypted every step of the way; we never receive or transmit unencrypted account information. We first encrypt sensitive data in the browser then re-encrypt with an even more secure algorithm (RSA 2048 and SHA-256) once it reaches our servers. All web connections are sent via 256-bit SSL.

Secure AWS Account Access

Aviatrix uses roles for cross-account access which is the current best practice for granting access to resources in one account (yours) to a trusted principal in a different account (Aviatrix Hosted Service). Aviatrix does not require an IAM User nor does it require you to share Access Keys, which are outdated processes with potential security risks. Roles created to grant Aviatrix Hosted Service access to your account follow a specific policy that can easily be revoked by you at any time. Aviatrix always uses an external ID when assuming the cross-account role, according the AWS best practices to avoid the "confused deputy" problem.

Strict security and key management procedures

Staff members do not have the ability to decrypt encrypted account data, and we use extensive best practices to keep your sensitive information secure.

If you’d like more detail about our approach to security, we’d be happy to arrange a call with a member of your team. Email support@aviatrix.com.

Vulnerability Reporting

Aviatrix understands and values the trust our customers place in us. We take security very seriously, and investigate all reported vulnerabilities. The following describes our practice for addressing potential vulnerabilities in any aspect of our services.

If you believe you have discovered a vulnerability in Aviatrix, contact us as described below. So that we may more rapidly and effectively respond to your report, please provide any supporting material (proof-of-concept code, tool output, etc.) that would be useful in helping us understand the nature and severity of the vulnerability.

We will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.

Once the report has been reviewed, Aviatrix will work to validate the reported vulnerability and reproduce it. If additional information is required in order to validate or reproduce the issue, we will work with you to obtain it. When the initial investigation is complete, results will be delivered to you along with a plan for resolution and public disclosure.

If the issue cannot be validated, or is not found to be a flaw in a Aviatrix product, this will be shared with you.

In order to protect our customers, Aviatrix requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed. Also, we respectfully ask that you do not post or share any data belonging to our customers. Addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems.